SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Location
    MA, USA
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Lightbulb Steps Toward Secure Sessions

    This is in response to the discussion about secure sessions in this thread: http://www.sitepoint.com/forums/show...04#post5579104

    First of all, session security is a large topic and can not be fully addressed in one thread.

    I am going to discuss user authentication and the bare minimum needed for secure session management. My intent is to show new developers a few pointers that I've picked up along the way. This is just a starting point for folks to work off of. From here you should use the best tool in a developers tool box, Google!

    As a general rule, sensitive user data should never be stored in a session or cookie. My current method is to create a random hashed value that can be stored in a cookie AND in the user's information contained in the database. You can then validate that both the value in the cookie and in the users database entry match. If so, then you can create a user object that contains sensitive user data, which is then disposed of after script execution.

    If the values do not match, you can then prompt the user to login. The sign in process will generate the random hashed value, store it in the cookie and in the user's database entry.

    Once the user logs out you can then destroy the cookie and remove the value from the user's database entry.

    I'm going to use code from a real world application for examples. This will allow you to see it in action, and this will cut down on the length of this post.

    Create Random Hashed Value

    First I need to create my random salt, which will make the hashed value unique on every page load: https://gist.github.com/jburns131/7014486

    Login User
    Now we'll address the user login. This is in the 'loginAttempt' method: https://gist.github.com/jburns131/7014456

    • I then check input from the login form for errors
    • I then check to see if they have entered a valid password
      • The password has been hashed using the crypt function, so I need to use crypt to validate it

    • If the password check is valid I then add my random hashed value to the database column for this user, then create a cookie containing the random hashed value.
      • Since I can have multiple installations using the same code I need to have a unique cookie name for each domain/subdomain, so that's what I do while setting up $cookieName



    Verify User is Logged In, Setup CurrentUser Object

    On page load we need to see if the user is logged in. We do that in the CurrentUser constructor: https://gist.github.com/jburns131/7014509

    • We check if the cookie exists
    • Then we check to see if the value in the cookie matches the value in the users database info
    • If the values match then setup the CurrentUser object by adding useful sensitive data to object properties. If it doesn't then do nothing and return false


    Using the CurrentUser Object

    Now you can instantiate the CurrentUser object, and if the current user is logged in then you can access the sensitive data as needed:

    Code:
    $currentUser = new CurrentUser($session);
    
    $currentUser->isLoggedIn(); // Can be used to validate whether the current user is logged in or not
    $currentUser->getId();
    $currentUser->displayName();
    Log Out User

    Now we need to remove traces of the random hashed value. This is done in the 'logoutAttempt' method: https://gist.github.com/jburns131/7014415

    • First we start the session so we can destroy it later on
    • Then we update the database entry with an empty string to remove the random hashed value from the database
    • We then destroy the session
    • We then destroy the cookie by giving it a date from the past


    This example is not exhaustive by any means, but it's a good starting point to move forward on.

    You will want to do a few google searches. I'd look for "php secure user authentication", "php session security" or maybe "php secure login".

    OWASP is also a great resource regarding web application security, and has a few good pages regarding user authentication and session security:

    https://www.owasp.org/index.php/Auth...on_Cheat_Sheet
    https://www.owasp.org/index.php/Sess...nt_Cheat_Sheet
    https://www.owasp.org/index.php/Test...ion_Management

    If anyone has any feedback please let me know. I am still on this journey, so any helpful constructive criticism is welcome.

    I hope this post will help give a little boost to those unfamiliar with the subject and point them down the path to enlightenment (and more secure apps) :-p
    jbWebWare.com - Bringing The Web To You!!!

    AllianceCMS.com - Bringing Us Together!!!

  2. #2
    SitePoint Member
    Join Date
    Oct 2013
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have read this.......its amazing and i am really impressed.Thanks for sharing this nice info.

  3. #3
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Location
    MA, USA
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you very much for the positive feedback!

    I'm glad I can share a little bit of my knowledge to help someone else :-)
    jbWebWare.com - Bringing The Web To You!!!

    AllianceCMS.com - Bringing Us Together!!!


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •